HSTS header max-age for testing

The minimal duration of HSTS header is 1 month. This is a very long duration and might be risky.
Please add HSTS max-age of 10 minutes for testing purposes or allow to set max-age for any number.
https://community.cloudflare.com/t/worried-about-enabling-hsts-for-1-month/264310

You can use a Transform Rule to set the HSTS header to any value you like. Use the “HTTP Response Header Modification” type like this:

3 Likes

Thanks, still less complex is just to add 10min select option, so I don’t have to change it from 1 month.
I am sure many people are afraid to use HTST header even with transform rule.

I saw even a year, while I prefer to sue 6 months.

If all secured and is working over HTTPS, including redirection from HTTP to HTTPS, there is no need to be worried. It’s 2022 already, SSL certificates can be generated each month or each year, Web browsers are even pushing HTTPS-only :wink:

1 Like

I think the only reason someone would a low setting for testing is because they might not be sure they’re fully compliant.

1 Like

This just reminded me on one website from yesterday … If I may share my experience what I saw:

I discovered domain used Flexible SSL, but despite of that, it was configured even on a origin to redirect all from HTTP to HTTPS and I saw the HTTP header for HSTS set on 6 months + Cloudfalre had the same value and “all checkboxes were checked” for HSTS under the SSL/TLS → Edge certificates.

Nevertheless, the owner enabled Always use HTTPS, Automatic HTTPP Rerrites, and there was no SSL certificate at the origin.

I was like, how this is all still working? :laughing: :thinking:

Total mess, and in databse - WordPress of course - when I went to run “search and replace”, over 43k links pointed to HTTP URLs were changed.

But, somehow it all worked using a plugin Really Simple SSL :crazy_face:

I am afraid neither this website, owner, and origin wasn’t compliant for this, but hey, someone was also testing it, and haven’t even turned off or wasn’t aware of leaving it like that?

I wonder what things will I see next in my life :sweat_smile:

1 Like

Most simple way is to add max-age=1min/1hour/1day/1week to allow gradual increase in max-age and see that there are no problems.

Does _headers file apply to HSTS too?

Did you give it a try? I’d prefer the Transform Rule, as it won’t be affected by what you do at Github.

I didn’t try it.